From 07b1367c2be6e727c93c58d1568817b54603a6c0 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Thu, 23 Jun 2022 10:43:04 -0700 Subject: [PATCH 1/2] versions: Update kernel to latest LTS version 5.15.48 This brings in a few security fixes. Removing arm patches related to virtio-mem that are no longer required as they have been merged. Fixes #4438 Signed-off-by: Archana Shinde --- versions.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/versions.yaml b/versions.yaml index 5d031182ea13..d617518a53bc 100644 --- a/versions.yaml +++ b/versions.yaml @@ -153,7 +153,7 @@ assets: kernel: description: "Linux kernel optimised for virtual machines" url: "https://cdn.kernel.org/pub/linux/kernel/v5.x/" - version: "v5.15.26" + version: "v5.15.48" tdx: description: "Linux kernel that supports TDX" url: "https://github.com/intel/tdx/archive/refs/tags" From 93874cb3bb51bee1db98b3f404e509416c93f156 Mon Sep 17 00:00:00 2001 From: Archana Shinde Date: Thu, 23 Jun 2022 10:17:07 -0700 Subject: [PATCH 2/2] packaging: Restrict kernel patches applied to top-level dir The apply_patches.sh script applies all patches in the patches directory, as well as subdirectories. This means if there is a sub-dir called "experimental" under a major kernel version directory, experimental patches would be applied to the default kernel supported by Kata. We did not come accross this issue earlier as typically the experimental kernel version was different from the default kernel. With both the default kernel and the arm-experimental kernel having the same major kernel version (5.15.x) at this time, trying to update the kernel patch version revealed that arm-experimental patches were being applied to the default kernel. Restricting the patches to be applied to the top level directory will solve the issue. The apply_patches script should ignore any sub-directories meant for experimental patches. Fixes #4520 Signed-off-by: Archana Shinde --- tools/packaging/kernel/README.md | 4 ++-- tools/packaging/scripts/apply_patches.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/packaging/kernel/README.md b/tools/packaging/kernel/README.md index 4f89121e032c..cb4840260e40 100644 --- a/tools/packaging/kernel/README.md +++ b/tools/packaging/kernel/README.md @@ -47,7 +47,7 @@ Options: -g : GPU vendor, intel or nvidia. -h : Display this help. -k : Path to kernel to build. - -p : Path to a directory with patches to apply to kernel. + -p : Path to a directory with patches to apply to kernel, only patches in top-level directory are applied. -t : Hypervisor_target. -v : Kernel version to use if kernel path not provided. ``` @@ -76,7 +76,7 @@ $ ./build-kernel.sh setup The script `./build-kernel.sh` tries to apply the patches from `${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/kernel/patches/` when it sets up a kernel. If you want to add a source modification, add a patch on this -directory. +directory. Patches present in the top-level directory are applied, with subdirectories being ignored. The script also adds a kernel config file from `${GOPATH}/src/github.com/kata-containers/kata-containers/tools/packaging/kernel/configs/` to `.config` diff --git a/tools/packaging/scripts/apply_patches.sh b/tools/packaging/scripts/apply_patches.sh index e5092779f56f..c5b8c748d71f 100755 --- a/tools/packaging/scripts/apply_patches.sh +++ b/tools/packaging/scripts/apply_patches.sh @@ -36,7 +36,7 @@ fi echo "INFO: Apply patches from $patches_dir" if [ -d "$patches_dir" ]; then - patches=($(find "$patches_dir" -name '*.patch'|sort -t- -k1,1n)) + patches=($(find "$patches_dir" -maxdepth 1 -name '*.patch'|sort -t- -k1,1n)) echo "INFO: Found ${#patches[@]} patches" for patch in ${patches[@]}; do echo "INFO: Apply $patch"